摘要
近年来,软件安全性事件层出不穷,涉及的领域也越来越广,造成的危害也越来越大。现有的缺陷数据库包含的安全性漏洞数量非常庞大,如果对其逐个进行针对性测试,则测试成本难以承受。因此,文中首先从影响软件安全性的缺陷引入原因维、危险后果维以及可能导致缺陷被激活的操作方式维三个维度对安全性缺陷进行分类。这种三维结构综合分类法,可以弥补单一分类法的不足,为测试人员分析安全性缺陷提供了更为准确细致的描述手段;其次,通过数据流图结合数据交互边界提出一种可行的基于数据交互边界的软件安全性缺陷确定技术;最后,通过对DREAD模型的改进,提出一种软件安全性缺陷优先级度量模型,从而解决了软件安全性缺陷定位问题和软件安全性缺陷优先级确定问题。
In recent years,software security incidents emerge in an endless stream,involving more and more fields and causing more and more harm.The existing defect database contains a large number of security vulnerabilities.If the targeted tests are carried out one by one,the test cost is unbearable.Therefore,firstly the security defects from three dimensions:the reason dimension,the dangerous consequence dimension and the operation mode dimension which may cause the defects to be activated are classified.This three dimensional structured comprehensive classification can make up for the single classification and provide a more accurate and detailed description for testers to analyze security defects.Secondly,a feasible software security defect determination technique based on data flow graph and data interaction boundary is proposed.Finally,by improving the DREAD model,a software security defect priority measurement model is proposed to solve the problem of software security defect location and software security defect priority determination.
作者
彭会斌
费琪
PENG Hui-bin;FEI Qi(Jiangsu Institute of Automation,Lianyungang 222061,China)
出处
《计算机技术与发展》
2019年第8期107-112,共6页
Computer Technology and Development
基金
国防科工局技术基础科研(JSZL2017207B013)
关键词
软件安全缺陷
安全缺陷需求获取
安全缺陷定位
优先级度量模型
software security defects
security defect requirement acquisition
security defect location
priority measurement model
